What are the considerations an organization should look at before deciding to move to the public cloud

CipherCloud was founded in 2010 by pioneers in the field of information security, compliance, and governance, who had a vision of eliminating the major roadblocks impeding cloud adoption - concerns about data privacy, residency, security, and compliance.The company developed an award-winning solution that provides a single gateway as a platform to secure sensitive customer data across multiple public and private cloud applications, including salesforce, Chatter, Gmail, and Amazon Web Services, without impacting functionality or performance. The company and its patent-pending technology have been recognized for their innovation by industry thought leaders with many awards, including Gartner’s Cool Vendor in Cloud Security.

In the following interview, Pravin Kothari, Founder and CEO of CipherCloud, discusses 1:1 with Rake Narang, Editor-in-Chief of Network Products Guide, considerations an organization should look at before deciding to move to the public cloud.

Rake Narang: What are the considerations an organization should look at before deciding to move to the public cloud?

For many organizations, the essential questions about cloud security, compliance, visibility and end-to-end control of data remain unanswered. Organizations should start by looking at the sensitivity of the data involved. They need to define and systematically adhere to a sound data classification policy to determine the control mechanisms needed to protect sensitive data. While this principle also applies to on-premises systems, risks derived from having no data classification policy or one that is incorrect are greater in the cloud because data might not be afforded the appropriate protective measures.

Organizations also need to look at the security and privacy controls provided by the cloud provider and ensure that compliance obligations are met throughout the process.

About Pravin Kothari

Pravin Kothari has over 20 years of experience successfully bringing new products to market in information security, cloud computing, compliance, enterprise software, and large-scale software infrastructure. Pravin founded CipherCloud, the leading provider of cloud encryption gateways. Prior to founding CipherCloud, Pravin was Founder and CTO of Agiliance, a provider of Governance, Risk, and Compliance (GRC) software company. Previously, he was Co-founder and VP Engineering of ArcSight, a leading security company, where he led product development for five years from inception to market dominance. ArcSight was acquired by HP for $1.6 billion. Prior to ArcSight, Pravin Kothari was Co-founder and Chief Architect at Impresse Corporation. He has also held technical leadership positions at Verity, Attachmate, and Tata Consultancy Services.

Rake Narang: Should organizations be concerned about the security of cloud applications? What specifically are the threats they should be worried about?

Pravin Kothari: Absolutely. If you pay close attention to your contracts with the cloud provider, you will notice that most of them explicitly limit their liability and accountability to ensuring the security of your data.

CipherCloud is a member of the Cloud Security Alliance (CSA), an organization that has done a great job outlining the key threats to cloud computing. These include:

Malicious Insiders at Cloud Provider: The threat of a malicious insider, which is well known to most organizations, is amplified in a cloud environment due to lack of transparency into provider processes and procedures.

Shared Technology Vulnerabilities: These concerns stem from multi-tenant environments where the underlying infrastructure (CPU, memory, databases, etc.) is shared across many organizations. A small bug (malicious or accidental) can allow customers to access other tenants’ actual or residual data, network traffic, etc.

Data Leakage: This can result from insufficient data access, authorization and encryption controls.

Account Hijacking: Attack methods include phishing, fraud, and malware where credentials and passwords are often reused, which amplifies the impact of such attacks.

Ultimately, many of these concerns arise due to inadequate visibility and control. Cloud vendors do not always disclose the details of how their services work, which third-party partners they use, and exactly where data is located, including all copies and backups.

Rake Narang: What is a cloud encryption gateway? How does it work? Which type of organizations need one? Are there certifications that are important?

Pravin Kothari: Encryption is a typical solution for data confidentiality and integrity requirements. However, traditional encryption methods (encryption provided at database and storage layers) that worked well inside organizations no longer work for the cloud applications because encryption keys reside with cloud providers and data remains in clear at the application and API layers—they’re exposed to all the cloud threats we discussed earlier. As the traditional encryption methods have failed to address complex problems in the evolving cloud environment, emerging companies like CipherCloud are providing innovative solutions to address these key challenges.

Encryption gateways, like CipherCloud’s, take a different approach. They allow organizations to retain complete control over their data in the cloud by applying strong encryption, in real-time, before sensitive data leaves the enterprise, using keys that are retained and managed by the enterprise at all times. The encryption provided is operations-preserving to not impact the application functionality and usability. Since the data is strongly encrypted before leaving the enterprise, it remains protected from all the external and cloud threats.

This technology is particularly important for organizations that must adhere to strict regulations, and for organizations that do business in countries with strict data residency laws. However, any organization that stores sensitive customer data in the cloud needs to take a close look at using these types of solutions to comply with their own internal security policies.

When organizations look at encryption solutions, one of the most important standards is FIPS 197—that’s the Federal Information Processing Standard created by the National Institute of Standards and Technology (NIST). Organizations shouldn’t settle for anything less.